CVE-2014-3865

Published: 30 May 2014

Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pseudo-header in conjunction with (1) missing --- and +++ header lines or (2) a +++ header line with a blank pathname.

Priority

Status

Package	Release	Status
dpkg Launchpad, Ubuntu, Debian	lucid	Released (1.15.5.6ubuntu4.9)
	precise	Released (1.16.1.2ubuntu7.5)
	saucy	Released (1.16.12ubuntu1.3)
	trusty	Released (1.17.5ubuntu5.3)
	upstream	Released (1.17.10)
	Patches: upstream: http://anonscm.debian.org/gitweb/?p=dpkg/dpkg.git;a=commitdiff;h=5348cbc

References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183
http://openwall.com/lists/oss-security/2014/05/25/2
https://ubuntu.com/security/notices/USN-2242-1
https://www.cve.org/CVERecord?id=CVE-2014-3865
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›